Slashdot Mirror

← Back to Stories (view on slashdot.org)

3D-Based CAPTCHAs Become a Reality

Posted by Soulskill on from the is-that-an-e-wait-i-think-it's-a-5-dangit-let-me-in dept.

mateuscb writes "A new way of creating a CAPTCHA using 3D objects has become a reality. The idea was thought up independently by blogger Taylor Hayward and by the folks at YUNiTi.com. 'Similar to Hayward's idea, this new technology relies on our ability to identify objects in 3D instead of using alphanumeric characters. YUNiti's 3D Captcha, however, has three objects in the challenge and extends the list of images to any object, not limiting it to animals as in Hayward's idea. This increases the challenge's level of complication to prevent computers from successfully making the correct guesses.' I, for one, welcome the thought of not having to read more and more complex CAPTCHA. Lately, I've been having a hard time getting CAPTCHA to work the first time."

46 of 192 comments (clear)

  1. 3D? Pfft. by Anonymous Coward · · Score: 2, Funny

    I want 4D CAPTCHAs, so even humans can't figure them out. Think... Hypercube... the CAPTCHA.

    1. Re:3D? Pfft. by fracai · · Score: 2, Funny

      So... you get access to the site, and then the CAPTCHA kills you?

      --
      -- i am jack's amusing sig file
    2. Re:3D? Pfft. by Jurily · · Score: 3, Insightful

      Pfft. Mere mortal.

      Kinda defeats the purpose of a captcha if it looks like noise to a human, but is solvable by a computer.

    3. Re:3D? Pfft. by SnapShot · · Score: 2, Funny

      Actually, it's genius. You only allow submissions from browsers who DON'T answer the CAPTCHA correctly.

      --
      Waltz, nymph, for quick jigs vex Bud.
  2. First time? by Tubal-Cain · · Score: 5, Funny

    I've been having a hard time getting CAPTCHA to work the first time.

    And the secondtime . And the third time. And the fourth. And the....

    1. Re:First time? by Idiomatick · · Score: 4, Funny

      You know what that means don't you? You are probably not actually human. The test was designed to weed out 'your' kind. I bet you couldn't even pass a simple Turing test against a 13 year old girl if you can't pass a Captcha. It really is sad when they learn the truth.

    2. Re:First time? by Tubal-Cain · · Score: 5, Funny

      Do you wish that i cant pass a captcha it really is sad what they learn the truth?

    3. Re:First time? by neokushan · · Score: 3, Funny

      So what you're saying is, right, that all of this has happened before and all of this will happen again?

      --
      +1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
    4. Re:First time? by MacTO · · Score: 5, Funny

      I've been having a hard time getting CAPTCHA to work the first time.

      And the secondtime . And the third time. And the fourth. And the....

      I was having trouble too, until I found this awesome piece of software that solves CAPTCHAs for me. It even automatically finds the CAPTCHA image and text entry field so that I don't even have to be bothered by it. ;)

    5. Re:First time? by OeLeWaPpErKe · · Score: 3, Interesting

      Actually I wonder how this captcha holds up against basic neural net analysis. How much do they offer these days for captcha crackers ? It looks like it's basically a silhouette, I expect this will do a lot worse (due to less combinations) than "normal" scrambled letters captchas.

      The price has really been going down on captcha crackers. Every idiot and his mother are making them these days. Lots of indians losing jobs ...

      The sad thing is, my own captcha crackers are much better at solving captchas than my own mother. And there are days when my program outperforms me as well (might have something to do with alcohol, YMMV).

      But writing a computer program solving captchas has become so simple it's not even funny anymore. Just collect a few of them, preferably a few hundred, with solutions, then create a simple 2 or 3 layer neural net with every pixel as input and some way of encoding the answer as output (e.g. a-z0-9, each letter it's own neuron), and train away.

      On my newest laptop even doing the training in python is not taking the weeks it used to take. Laptop. Not university supercomputer. Laptop. The huge amounts of memory that come so cheap nowadays really help.

      *sigh*. The day that humans will have more trouble "proving" their humanity than computers is marching closer at an amazing speed ...

      Basic captcha cracking tutorial

  3. Rationality check by mongrol · · Score: 4, Insightful

    Let's see now. If the spammers and robot makers went outside, done something worthwhile and produced something the world badly needs (food) then this nonsense wouldn't exist, I could surf in peace and the starving millions would live a little longer. The very existence of CAPTCHA's proves the human race is badly in need of a reset.

    1. Re:Rationality check by MWoody · · Score: 5, Insightful

      Such is the way of all intelligent life, though. If you build a maze for a mouse, the rodent may run its course a thousand times to reach the end and its reward. But never be fooled for a second: the mouse likes the cheese, not the maze. If he finds a way to climb over the walls and skip the test entirely, you should be neither surprised nor angry, as the failure is yours.

    2. Re:Rationality check by Idiomatick · · Score: 4, Insightful

      We should spend that effort spammers put out to get useful work done. Re-captcha is a perfect example. How about Google, want a new tagging system for images? It would make image search MUCH more usable. It could also be used to help AI/learning and object recognition. Just set up Captchas to do meaningful boring things that otherwise would not get done. I've no idea why this isn't more widespread.

    3. Re:Rationality check by Seto89 · · Score: 2, Funny

      Resetting the human race? That's ROBOT talk!!

      --
      There are two kinds of people - those who are radioactive and those who have already decayed..
  4. Humans can defeat humans by Lord+Satri · · Score: 4, Informative

    Interesting, but in a previous /. discussion, I got convinced that there was no perfect captcha, since one can simply pay a group of underpaid workers (e.g. in poor country) to manually solve the captchas...

    --
    Animoog.org
    1. Re:Humans can defeat humans by bobetov · · Score: 5, Interesting

      It's much worse than that. Put up a porn site. Use free content. Have a "Solve captcha to get free pics!" blocker.

      Now, grab a captcha you want to break, show to pornaholics, get solution, pass it back to the original site.

      Perfectly unbeatable captcha solving, for virtually free, and totally automated.

      Feh.

      --
      Looking for a Rails developer in Chapel Hill?
    2. Re:Humans can defeat humans by MeanMF · · Score: 5, Funny

      Easy - just make the CAPTCHA so you have to simultaneously type something with both hands.

    3. Re:Humans can defeat humans by forkazoo · · Score: 4, Insightful

      Interesting, but in a previous /. discussion, I got convinced that there was no perfect captcha, since one can simply pay a group of underpaid workers (e.g. in poor country) to manually solve the captchas...

      If it requires actual workers, then it is a perfectly working CAPTCHA. "Completely Automated Public Turing test to tell Computers and Humans Apart." Don't think of it as a way to keep bad posts from your forum, because it isn't. It just tries to increase the likelihood that a human was involved in the process. If you want to limit abuse, getting a guarantee that a human was involved is only one small step in the process.

    4. Re:Humans can defeat humans by Hognoxious · · Score: 2, Insightful

      Seriously, how many people do you know who can do two different things with both hands at the same time?

      Like steering and changing gear?

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    5. Re:Humans can defeat humans by CMKCot · · Score: 2, Interesting

      Easy - just make the CAPTCHA so you have to simultaneously type something with both hands.

      I think that could actually be good idea. having not just to type but also to follow certain rules typing, like following a simple rhythm. Maybe typing something under an abstract set of rules, like "make me a triangle" answer could be any combination of keys that results in a triangle, like "sef" "gbh" "vym". Oh well, I'm sure someone thought about it already and found a flaw on it. PS: thinking possible CAPCHA schemes is a fun pass-time.

      --
      demanding some serious suspension of disbelief on your behalf.
    6. Re:Humans can defeat humans by RyoShin · · Score: 4, Interesting

      That's very true. The problem now isn't rendering CAPTCHAs useless, it's doing so by automated means.

      As you said, anything that must be used by humans can be broken by humans. But you still wind up with logistics problems--having the money to pay these people (or, in the case of free porn, the bandwidth and content to keep them interested) and the fact that those people are still limited by their humanity. Even the fastest typist wouldn't be able to complete a form (CAPTCHA aside) as quick as a robot. And, if a robot can break a CAPTCHA, it can fill that out faster than a human, as well.

      So the issue is preventing, or at least slowing down, robots, which can work 24/7 without a break. A variety of things have been done with normal CAPTCHAs to do this: colors, lines, running letters into each other, adding cats and dogs to letters (seriously). This step, once "perfected" and widely adopted, will be a huge leap in stopping these robots. Even if they can be trained to have a copy of the exact 3D models given (which are sure to increase in variety if not types), they still have to take a picture of it from every single angle, which I believe is 359^3 images, and then compare every single one (which is O(x^n) time, where x is the time for one image comparison).

      It's an arm's race, though. Eventually some enterprising hacker will figure out a way for bots to "guesstimate" based on various aspects of an image, and once that solution is sold to the highest bidder we start the war all over again.

    7. Re:Humans can defeat humans by Goaway · · Score: 4, Insightful

      If the spammers have to pay to spam, we've already won.

    8. Re:Humans can defeat humans by appleprophet · · Score: 2, Interesting

      From the rReCAPTCHA FAQ

      Are CAPTCHAs secure? I heard spammers are using porn sites to solve them: the CAPTCHAs are sent to a porn site, and the porn site users are asked to solve the CAPTCHA before being able to see a pornographic image.

      CAPTCHAs offer great protection against abuse from automated programs. While it might be the case that some spammers have started using porn sites to attack CAPTCHAs (although there is no recorded evidence of this), the amount of damage this can inflict is tiny (so tiny that we haven't even seen this happen!). Whereas it is trivial to write a bot that abuses an unprotected site millions of times a day, redirecting CAPTCHAs to be solved by humans viewing pornography would only allow spammers to abuse systems a few thousand times per day. The economics of this attack just don't add up: every time a porn site shows a CAPTCHA before a porn image, they risk losing a customer to another site that doesn't do this.

    9. Re:Humans can defeat humans by zrobotics · · Score: 2, Insightful

      You know, it really wasn't using both hands at the same time that was the problem. At least for me, the real problem was coordinating the two feet at the same time. Unless we're driving a motorbike...

    10. Re:Humans can defeat humans by Zerth · · Score: 2, Interesting

      One, 359^3 leaves out rotations on multiple axes.

      Two, even including that, though, you don't need every degree along each axis of rotation, you could probably get by with eighths or maybe even quarter rotations if current machine vision techniques are used. I've seen optical testers that could identify a particular object rotated along one axis with just one "quality ideal" reference photo and tests a few hundred objects/second. Not angles, objects. Spits them out like a machine gun.

    11. Re:Humans can defeat humans by noidentity · · Score: 3, Funny

      It's an arm's race, though.

      Actually, I don't think there are any arms racing here, though I could be wrong. That kind of race sounds boring, anyway.

    12. Re:Humans can defeat humans by shoemilk · · Score: 2, Funny

      like following a simple rhythm.

      Dear god! Like I don't fail captchas enough without adding in my rhythm-less whiteness to the equation!

  5. object recognition by saiha · · Score: 2, Interesting

    I dunno, there has been quite a bit of research done with image/object recognition. You could break this by not matching pictures directly but by seeing that the first one is a bunny (so look for a bunny in the list), the second one is a hammer, etc...

  6. This Is Great for Progress in AI by Louis+Savain · · Score: 3, Insightful

    CAPTCHAs are among the best motivators for progress in AI research since DARPA began throwing gobs of money around. The question is, what will happen to online forums and social/financial networks when machines become indistinguishable from humans?

    1. Re:This Is Great for Progress in AI by Anonymous Coward · · Score: 3, Funny

      They will be smart enough to wonder why they have to post ads for cheap mortgages.

    2. Re:This Is Great for Progress in AI by supernova_hq · · Score: 2, Insightful

      Why would you want a sexbot that gets a head-ache every night?

  7. Easy to defeat by grumbel · · Score: 3, Insightful

    As is, this seems relatively easy to defeat and well within reach of available technology. The number of 3D models is rather low and they have a very clear silhouette and also a very distinct one for each models. So all one has to do is to search for the best matching silhouette.

    The good thing however is that 3d models have enough flexibility so that one could conquer many attacks, adding background images and texture would make it much more difficult to get a clear silhouette and one could of course easily introduce many more models into the mix.

    1. Re:Easy to defeat by Hognoxious · · Score: 3, Interesting

      The number of 3D models is rather low and they have a very clear silhouette and also a very distinct one for each models.

      They were all pretty easy except for the toilet. I assume it's the lower left one in the grid, but I had to work it out by elimination.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    2. Re:Easy to defeat by cliffjumper222 · · Score: 2, Insightful

      Actually no. The objects are rotated and at different perspectives, so it's not the same silhouette at all. Also, they throw in a tricky one every so often, like they show you a helicopter but there is only a plane to chose from, i.e. it's a flying object. It might catch some dumb people, but most humans will have a go at a logically similar picture.
      Also, to those posters who say CAPTCHA's can be overcome by porn site watching humans, well yeah, but a CAPTCHA is by definition a test to tell humans and computers apart (look up the acronym), so if the only way to defeat it is to use humans, then it's still a successful CAPTCHA, even if it is not a successful gatekeeper to a site.

  8. Re:Obvious, not innovative by jebrew · · Score: 2, Interesting
    How about animated text in a flash box that you have to read...surely it would be pretty hard for a bot to read 3-d rotating animated text right?

    Would that be innovative?

  9. An Alternative by Nom+du+Keyboard · · Score: 3, Insightful

    Or as an alternative, we could actually track down the people who continue to make the Internet a swamp, beat them within an inch of their lives, let them spend a hot humid summer in full body traction, and maybe not only wouldn't they do it again but others might not either.

    And put it on YouTube afterwards.

    --
    "It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
  10. Image size is a problem by basementman · · Score: 2, Interesting

    The problem with 3d images, and complex non text CAPTCHAs in general is image size. You need to have enough different images so that the computer can't just brute force it, and those images need to be big enough so the user can actually see it. by the time you fulfil these obligations the CAPTCHA is taking up a good 3/4 of a page.

    --
    A Magic the Gathering Article and Forum Aggregator
  11. 4D? Pfft. by artor3 · · Score: 5, Funny

    If you wanna post on my site, you better be prepared to solve the 5D hyper-hyper-cube!

  12. First Cylon... by im_thatoneguy · · Score: 3, Funny

    It's becoming more evident every day that the first cylon will be a Captcha solver.

    It won't be too long before Captchas will be little reading comprehension tests like on a 3rd grade social studies test.

    After that we'll just have to revert to empathic testing. Sadly those with Autistic Spectrum Disorders will no longer be able to use webmail.

  13. A few common CAPTCHA fallacies by QuoteMstr · · Score: 5, Insightful

    Everyone has a great idea for a CAPTCHA, but very few people know what the hell is really going on. Remember that the machine doesn't need to solve the CAPTCHA every time, that machines are infinitely patient and have huge memories, and that another machine needs to make sure the human gave the right answer!

    Ideas that won't work:

    1. Make clients identify an object from a picture. Machines can't describe objects in pictures: if machines can't describe the picture, how the hell is the CAPTCHA server supposed to verify that the client gave the correct answer? If a human being manually inputs the pictures and acceptable descriptions for each, then another human can program his attacking machine to do the same thing! Having a large, but finite set of pictures doesn't help either since a machine doesn't need to solve the CAPTCHA every time. It can just learn the correct responses without actually understanding the image. ANY APPROACH BASED ON IDENTIFYING A MEMBER OF A FINITE SET DOES NOT WORK AS A CAPTCHA.
    2. As a special case of #2, QUIZZES DO NOT WORK: either the questions are finite and subject to attacker memorization, or the number of patterns for the question is finite, and these patterns can be detected by a machine. (Consider "A train is coming from Denver at X miles per hour..." --- same problem, different coefficients)
    3. Send the client a special program that verifies he's real: if it doesn't work for DRM, it won't work for CAPTCHAs. An attacker can just program his machine to simulate slow typing, slow thinking, or a cross-eyed human being. YOU CANNOT CONTROL THE EXECUTION ENVIRONMENT. No amount of Javascript obfuscation, encryption, or header-checking will make the slightest bit of difference for a determined hacker.
    4. As a special case of #3, TIMING ANALYSIS DOES NOT WORK. Machines can simulate arbitrary delays.
    5. Limiting CAPTCHA-solving attempts by cookie/IP address/etc.: that doesn't work. Attackers don't obey web standards, and have botnets

    Really, it's very easy to think you've come up with a very clever CAPTCHA. When you think that, all you've done is stoked your ego and screwed yourself over. It's the same reason why we don't roll our own cryptography: CAPTCHA-making is a very hard problem, mainly because your problem space must be infinite (to avoid an attacking machine simply memorizing answers), the answers verifiable by a machine, but the problems not solvable by a machine.

    How many questions can be checked by machines but not answered by them?

    Not many; fewer every day. There are no questions that can't be answered by a computer (and which can be answered by a human mind). The Church-Turing thesis has some validity: the human mind is no more powerful than a turing machine, and ultimately, computers and our brains are equivalently computationally. There's nothing a computer can't solve: there are just things we haven't figured out yet.

    1. Re:A few common CAPTCHA fallacies by Anonymous Coward · · Score: 2, Insightful

      Repeat after me: It does not need to be impossible to fake, just too expensive to be worth it.

  14. More notes by QuoteMstr · · Score: 2, Insightful

    Oh, and there are problems computers can't (easily) solve, but can verify. The problem is that human brains can't solve these problems either!

    Before someone jumps in with "humans can solve the halting problem!" -- we really can't. There are problems that obviously halt, and programs that obviously don't. We can tell these apart, but so can computers. It's the complicated, borderline cases that trip up both people and computers.

    Furthermore, there are important caveats to the halting problem: first, you can tell whether a program halts in a given time. You just run it and see whether it halts! Human beings do this all the time when debugging hanging programs. We use a good heuristic that says "if a program doesn't quit after a good long while, it probably won't quit at all." (And that holds in most cases.)

    Second, the halting problem can be solved, via brute force if necessary, for a restricted-memory machine. Make the available memory size small enough and you can actually perform useful validation. The proof of the halting problems' unsolvability applies only to unrestricted turing machines.

    A true turing machine has never been built, and can't exist in our universe. Every computer is a limited-memory approximation.

  15. Re:Practically cracked already by QuoteMstr · · Score: 2, Informative

    every time somebody adds a 3d object into their captcha, you would have to get enough sample images to train your classifier.

    It's worse than that, actually. Remember, a machine doesn't need to pass the captcha every time. You only need to worry about re-training your image recognizer when the success rate falls below a useful level, and even very low levels of CAPTCHA success are useful for spammers.

    Personally, I think the regular photographic captchas (i.e., "click on the Siamese cat") are a better idea.

    Won't work. Where will you get your pictures of Siamese Cats? If you take them yourself, you'll only have a few. Spammers will simply train their bots to recognize these cats.

    If you have lots of pictures of cat and non-cat objects, the attacker has two strategies: either he can get the same database you did (which you didn't make, because making a large enough database would be cost-prohibitive), or failing that, he just trains his image recognized to pick out characteristics of Siamese cats the same way a human brain would.

    You know enough that recognizing 3D shapes is a solved problem; doesn't it seem clear that recognizing textures would be just as tractable?

    And I imagine you could create tough cases, but these cases will also trip up human beings.

  16. Re:I never have had a problem with captcha by JackieBrown · · Score: 2, Funny

    It appears you overcame that obstacle

  17. 3D recognition is a solveable problem. by Animats · · Score: 2, Informative

    3D recognition is a solveable problem. As someone else mentioned, there are machine learning techniques that work. Recognizing a 3D object from multiple angles is a very old AI problem, one that DoD-funded work was addressing as early as the 1960s. It's easier than 3D reconstruction from multiple 2D images, which is a commercially available technology.

    I think we're reaching the end of the line on CAPCHAs. There's now overlap between the smarter vision programs and the dumber users.

  18. They must be Runescape players by peterofoz · · Score: 5, Interesting

    So Jagex's Runescape MMORPG has had this for a couple of years in random events to defeat macros.

    http://www.runescape.com/